SEC579: Virtualization and Private Cloud Security Waitlist

SEC579 is the absolute best virtualization security information available! And it is immediately usable.

Leonard Lyons, Northrop Grumman

The rush for virtualization is difficult for security sensitive environments. SEC579 helps demonstrate which risks are valid.

Paul Mayers, Lloyds Banking Group

One of today's most rapidly-evolving and widely-deployed technologies is server virtualization. Many organizations are already realizing the cost savings from implementing virtualized servers, and systems administrators love the ease of deployment and management for virtualized systems. More and more organizations are deploying desktop, application and network virtualization, as well. There are even security benefits of virtualization - easier business continuity and disaster recovery, single points of control over multiple systems, role-based access, and additional auditing and logging capabilities for large infrastructures.

Virtualization Vulnerabilities

With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and exploits, and presents new vulnerabilities that must be managed. In addition, there are a vast number of configuration options that security and system administrators need to understand, with an added layer of complexity that has to be managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks, and require careful planning with regard to access controls, user permissions and traditional security controls.

In addition, many organizations are evolving virtualized infrastructure into private and hybrid clouds - shared services running on virtualized infrastructure. Security architecture, policies, and processes will need to be adapted to work within a cloud infrastructure, and there are many changes that security and operations teams will need to accommodate to ensure assets are protected.

SEC579 starts with two days of architecture and security design for both virtualization and private cloud infrastructure. The entire gamut of components will be covered, ranging from hypervisor platforms to virtual networking, storage security, and locking down the individual virtual machine files. We will describe how to secure the management interfaces and servers, delve into Virtual Desktop Infrastructure (VDI), and go in-depth on what to consider when building a private cloud from existing virtualization architecture. Finally, we will look at integrating virtual firewalls and intrusion detection systems into the new architecture for access control and network monitoring.

Vulnerability Management and Penetration Testing, and Intrusion Detection and Forensics

The third and fourth days of SEC579 go into detail on offense and defense - how can we assess a virtualized environment using scanning and penetration testing tools and techniques, and how do things change when we move to a cloud model? We will cover a variety of scanners and vulnerability management tools and practices, then take a hard look at virtualization vulnerabilities, exploits and toolkits for penetration testing that we can put to use in class.

Once we cover the offense, we will take the opposite approach and go into detail on performing intrusion detection and logging within the virtual environment, as well as covering anti-malware advances and changes within virtual infrastructure. We will wrap up the session by covering incident handling within virtual and cloud environments, as well as adapting forensics processes and tools to ensure we can maintain chain-of-custody and perform detailed analysis of virtualized assets.

Day five will help you adapt your existing security policies and practices to the new virtualized or cloud-based infrastructure. We will show you how to design a foundational risk assessment program and then build on this with policies, governance, and compliance considerations within your environment. We will cover auditing and assessment of your virtualized assets, with a session on scripting to help you put this program into practice right away. Then we will go in-depth into data security within a private cloud environment, discussing encryption and data lifecycle management techniques that will help you keep up with data that are much more mobile than ever before. We will touch on Identity and Access Management within a virtualized/cloud environment, followed by scripting for automation and security, then wrap up with a session on disaster recovery and business continuity planning that leverages and benefits from virtualization and cloud-based technology.

Virtualization Auditing and Compliance

Day six will cover the top virtualization configuration and hardening guides from Defense Information Security Agency (DISA, Center for Internet Security (CIS), Microsoft, and VMware. We will talk about the most critical take-aways from these guides to implement. We will then perform a scripted, hands-on audit of VMware technology using controls guidance from the VMware hardening guide.

You Will Learn:

Best practices for configuring and designing virtual security controls and infrastructure

Vulnerabilities and threats related to virtual infrastructure and cloud environments

How the network security landscape (products and architecture) is changing with virtualization and private clouds

New vulnerability assessment and forensic techniques to use within a virtual environment

How scripting and automation can assist with audits in a virtual environment

For SEC579 Virtualization and Private Cloud Security courses conducted at multi-course training events in the United States, a laptop will be provided for class use. However, for international events and private training classes, a hard drive will be provided for class use.

Course Syllabus

SEC579.1: Virtualization Security Architecture and Design

Overview

The first day of class will cover the foundations of virtualization infrastructure and different types of technology. We will define and clarify the differences between server virtualization, desktop virtualization, application virtualization, and storage virtualization, and we will lay out a simple architecture overview that sets the stage for the rest of the day. Then we will dissect the various virtualization elements that comprise the architecture one by one, with a focus on the security configurations that will help you create or revise your virtualization design to be as secure as possible. We will start off with hypervisor platforms, covering the fundamental controls that can and should be set within VMware ESX and ESXi, Microsoft Hyper-V, and Citrix XenServer.

Students will then spend considerable time analyzing and constructing virtual networks with security in mind. We will compare and contrast various designs for internal networks and DMZs, giving special attention to segmentation and physical network connectivity. Virtual switch types will be discussed, along with VLANs and PVLANs, as well as how to configure them to achieve the most robust network security possible. We will finish the day by examining virtual machine settings, with an emphasis on VMware VMX files. We will look at some of the ways organizations carefully control access to and from these virtual machines.

CPE/CMU Credits: 6

Topics

Virtualization components and architecture designs

Different types of virtualization, ranging from desktops to servers and applications

SEC579.2: Virtualization and Private Cloud Infrastructure Security

Overview

Day two starts by finishing up the previous day's coverage of virtualization design elements, including storage and storage security. One of the most overlooked security areas today, large-scale storage plays a critical role in virtualization and private cloud infrastructure Some tips and tactics will be covered to help organizations better secure Fibre Channel, iSCSI, and NFS-based NAS technology. Next we will tackle virtualization management. VMware vCenter, Microsoft System Center Virtual Machine Manager (SCVMM), and Citrix XenCenter will all be covered, with an emphasis on vCenter. Client connectivity and security will also be discussed, both from a configuration and design standpoint. The class then covers Virtual Desktop Infrastructure (VDI), with an emphasis on security principles and design. Specific security-focused use cases for VDI, such as remote access and network access control, will also be discussed.

Next we will design a secure private cloud architecture. There are many considerations for organizations migrating from virtualization to a private cloud, and a number of these affect security. We will outline all the areas previously covered for virtualization, ranging from networks to hypervisors and virtual machines, and point out where security configuration and design differs for a cloud model. We will also break down a number of different private cloud models for specific business use cases, and students will analyze security controls within these models.

The next section will delve into network security adapted to fit into a virtual infrastructure. Do firewalls and network access controls work the same with virtual systems and cloud models? We will find out! Students will take an in-depth look at virtual firewalls and even set one up. Virtual switches will be revisited here, as they pertain to segmentation and access controls. Students will also build a virtualized intrusion detection model, integrating promiscuous interfaces and traffic capture methods into virtual networks, then setting up and configuring a virtualized intrusion detection system (IDS) sensor. Some attention will also be paid to host-based IDS, with considerations for multitenant platforms and the performance impact any agent-based product can have in a virtual environment.

CPE/CMU Credits: 6

Topics

Storage security and design considerations

How to lock down management servers and clients for vCenter, XenServer, and Microsoft SCVMM

SEC579.3: Virtualization Offense and Defense (Part I)

Overview

This session will delve into the offensive side of security specific to virtualization and cloud technologies. While many key elements of vulnerability management and penetration testing are similar to traditional environments, there are also many differences, which will be covered here.

We will first examine a number of specific attack scenarios and models that represent the different risks organizations face in their virtual environments. Then we will go through the entire penetration testing and vulnerability assessment lifecycle, with an emphasis on virtualization tools and technologies. We will progress through scanners and how to use them for assessing virtual systems, then turn to virtualization exploits and attack toolkits that can be easily added into existing penetration test regimens. We will also cover some specific techniques that may help in cloud environments, providing examples of scenarios where certain tools and exploits are less effective or more risky to use than others.

After covering the offensive side of things, we will turn to intrusion detection, starting with a simple architecture refresher on how IDS and monitoring technologies fit into a virtual infrastructure. Students will then learn about monitoring traffic and looking for malicious activity within the virtual network. Numerous network-based and host-based tools will be covered and implemented in class. This topic will also be extended to the private cloud environment, with some special caveats that all organizations should pay attention to.

Finally, students will learn about logs and log management in virtual environments. What kinds of logs do virtualization platforms produce, and what should organizations focus on? How can these logs (for both hypervisors and virtual machines) fit into a Security Information and Event Management solution? What should we look for to discover attacks and security issues?

CPE/CMU Credits: 6

Topics

Attack models that pertain to virtualization and cloud environments

Penetration testing cycles with a focus on virtualization and cloud attack types

Specific virtualization platform attacks and exploits

How to modify vulnerability management processes and scanning configuration to get the best results in virtualized environments

SEC579.4: Virtualization Offense and Defense (Part II)

Overview

This session is all about defense! We will start off with an analysis of anti-malware techniques, looking at traditional antivirus, whitelisting, and other tools and techniques to combat malware, with a specific eye toward virtualization and cloud environments. New commercial offerings in this area will also be discussed to provide context.

Most of this session will focus on incident response and forensics in a virtualized or cloud-based infrastructure. We will walk students through the six-step incident response cycle espoused by NIST and SANS, and highlight exactly how virtualization fits into the big picture. Students will discuss and analyze incidents at each stage, again with a focus on virtualization and cloud. We will finish the incident response section by looking at processes and procedures that organizations can put to use right away to improve their awareness of virtualization-based incidents.

The final section of the day will focus on forensics and how students can adapt forensics processes to work in virtual and cloud environments. We will capture and duplicate virtual machines and ensure that they are sound and maintained in a best-practices format for proper chain-of-custody retention. The current landscape of forensics tools will be covered, with a focus on which tools work best to analyze virtual images and data from virtual infrastructure. Special emphasis will be given to the analysis of hypervisor platforms.

CPE/CMU Credits: 6

Topics

How anti-malware tools function in virtual and cloud environments

What kinds of new tools and tactics are available for effective anti-malware operations in the cloud and virtual machines

Pulling Netflow and packet data from virtual environments for analysis

How forensics processes and tools should be used and adapted for virtual systems

What tools are best to get the most accurate results from virtual machine system analysis

How to most effectively capture virtual machines for forensic evidence analysis

What can be done to analyze hypervisor platforms, and what does the future of virtual machine forensics hold?

Overview

This session will explore how traditional security and IT operations change with the addition of virtualization and cloud technology in the environment. Our first discussion will be a lesson on contrast. First, we will present an overview of integrating existing security into virtualization. Then, we will take a vastly different approach and outline how virtualization actually creates new security capabilities and functions. This will provide a solid foundation for students to understand just what a paradigm shift virtualization is, and how security can benefit from it even while still adapting in many ways.

Our first step in integrating virtualization into the existing environment will be to lay out a sound risk assessment process that security professionals can use to identify and locate the threats, vulnerabilities, and impacts. With virtualization and cloud technologies, risk profiles are very different, and security teams will need to evaluate technology and infrastructure differently in order to adequately advise an enterprise where to focus and how to allocate resources to best protect itself. A more in-depth treatise will be covered for cloud technologies, with a description of the Jericho Forum Cloud Cube model and how it can be leveraged by organizations to assess risk for their internal clouds.

We will then spend some time on policy and governance for both virtualization and cloud technologies. What kinds of new policies are needed? What existing policies need to be updated? We will also provide guidance for information security managers who need to answer some tough questions from organizational leadership about how and why cloud and virtualization security measures should be implemented.

Next we will cover two critical topics for private cloud implementations (and virtual machines in general): data security and encryption, and Identity and Access Management (IAM). As organizations have more and more mobile virtual machines moving through their data centers, and as they extend private clouds to cloud providers, partners and others, the need to protect the entire virtual machine is more paramount than ever.

Encryption techniques and data lifecycle processes can significantly improve the security of virtual and cloud environments. We will delve into the key techniques and processes security and operations teams need to know, including PKI infrastructure, commercial tools for implementing data protection, and an easy-to-implement method to evaluate and update data lifecycle management policies and processes. Identity and access management (IAM) is a key component of many cloud infrastructures, especially those that need to integrate with partners and other external parties, so we will look at the key things organizations need to know when implementing and evaluating IAM tools and capabilities in private clouds. We will then do some hands-on work with scripting for automation, using both PowerCLI and vSphere CLI.

The last major section of the day will cover something critical to all enterprises - disaster recovery (DR) and business continuity planning (BCP). Virtualization, cloud technology, and architecture can help organizations implement much more robust DR and BCP strategies, and we will look in-depth at what tools are available to help with this. In addition, students will learn about updates they will need to make to DR and BCP policies and evaluation techniques in order to more accurately take the new virtualized infrastructure into account.

CPE/CMU Credits: 6

Topics

How security can adapt to accommodate virtualization infrastructure

How virtualization tools and technology can augment and facilitate security

SEC579.6: Auditing and Compliance for Virtualization and Cloud

Overview

Today's session will start off with a lively discussion on virtualization assessment and audit. You may be asking, how can you possibly make a discussion on auditing lively? Trust us! We will cover the top virtualization configuration and hardening guides from DISA, CIS, Microsoft, and VMware, and talk about the most important and critical things to take away from these to implement. We will really put our money where our mouth is next - students will learn to implement audit and assessment techniques by scripting with the VI CLI, as well as some general shell scripting! Although not intended to be an in-depth class on scripting, some key techniques and ready-made scripts will be discussed and used in class to get students prepared for implementing these principles in their environments as soon as they get back to work.

We will wrap up the day with some general compliance guidelines that address specific controls needed for some of the major compliance mandates, including PCI DSS, HIPAA, and SOX.

CPE/CMU Credits: 6

Topics

Assessment and audit plans for virtualization and private cloud components

Key configuration controls from the leading hardening guides from DISA, CIS, VMware, and Microsoft

Compliance mandates and how you can institute controls in both virtualization and cloud infrastructure to satisfy requirements

Additional Information

Laptop Required

Laptops for SEC579 lab exercises will be provided for students to use during class in all US classes. Students will be given USBs with labs loaded to take home after class. For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a laptop will be provided for class use. However, for international events and onsite classes, a USB drive will be provided for class use.

For those classes where students are required to provide their own laptop, students will need a laptop with:

250 GB hard drive (with a minimum of 100 GB of free space)

Windows 7/8 (Macs will work but are not officially supported)

64-bit OS required

VMware Workstation 10 or above (VMware Fusion for Macs will work, but is not officially supported). Students should be comfortable with the operation of VMware Workstation (or Fusion) before coming to class, as we will not cover how to use this software in class.

16 GB RAM or more

Intel i5/i7 or equivalent processor (i7 strongly recommended)

USB port (preferably USB3)

Also, be sure to use Intel's CPU Processor Identification utility to verify VT-x support in your chipset. And note that students must be able to disable AV, firewall, and any media and USB protections on their laptops, so Administrator rights are required.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Security personnel who are tasked with securing virtualization and private cloud infrastructure

Network and systems administrators who need to understand how to architect, secure and maintain virtualization and cloud technologies

Technical auditors and consultants who need to gain a deeper understanding of VMware virtualization from a security and compliance perspective

What You Will Receive

In this course, you will receive the following:

MP3 audio files of the complete course lecture

You Will Be Able To

Lock down and maintain a secure configuration for all components of a virtualization environment

Perform audits and risk assessments within a virtual or private cloud environment

Hands-on Training

ESXi Lockdown

vMotion Attack on Data Confidentiality

Netflow in a Virtual Infrastructure

Press & Reviews

"The rush for virtualization is difficult for security sensitive environments. SEC579 helps demonstrate which risks are valid." - Paul Mayers, Lloyds Banking Group

"SEC579 actually provides pertinent information outside what is freely available and is applicable to securing my organization's virtual infrastructure." - David Richardson, ManTech

"SEC579 is the absolute best virtualization security information available! And it is immediately usable." - Leonard Lyons, Northrop Grumman

Author Statement

Seeing the growth in virtualization technology over the past decade, I realized how important it was to educate security professionals on how the nature of their infrastructure is changing. We cannot keep securing systems the same way when the footprint of our data centers is radically different! As more organizations build private and hybrid clouds, we are changing trust models toward shared infrastructure as well. This course will help security, IT operations and audit team members develop a solid understanding of what is changing and how they can best secure these new technologies.